[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Boris Zbarsky bzbarsky at MIT.EDU
Wed Feb 18 07:27:47 PST 2009


On Thu, 25 Sep 2008, Michal Zalewski wrote:
> 1) Create a HTTP-level (or HTTP-EQUIV) mechanism along the lines of
>    "X-I-Do-Not-Want-To-Be-Framed-Across-Domains: yes" that permits a web
>    page to inhibit frame rendering in potentially dangerous situations.
>
>    Pros:
>
>    - Super-simple
>
>    Cons:
>
>    - "Opt-in", i.e. currently vulnerable sites remain vulnerable unless
>      action is taken

Right.  And really no different from:

   <script>
     if (window != window.top)
       window.top.location.href = window.location.href;
   </script>

in effect, right?  This last already works in all browsers except IE, 
which is presumably why IE felt the need to add another way to do it.

There _is_ an issue here if script is disabled, of course.  In that 
case, are there still situations where the parent frame can effectively 
mislead the user?

> 2) Add a document-level mechanism to make "if nested <show this> else
>    <show that>" conditionals possible without Javascript. One proposal is
>    to do this on the level of CSS (by using either the media-dependency
>    features of CSS or special classes); another is to introduce new HTML
>    tags. This would make it possible for pages to defend themselves even
>    in environments where Javascript is disabled or limited.

Right, addressing the concern above.  The pro is that it ties 
information directly to the document.  The con is that it's harder to 
deploy site-wide....  Is that a concern?

-Boris



More information about the whatwg mailing list